Craig White wrote:
> On Tue, 2009-08-04 at 09:26 -0700, Eric Shubert wrote:
>> Craig White wrote:
>>> On Tue, 2009-08-04 at 08:10 -0700, Eric Shubert wrote:
>>>> Once you have a caching nameserver set up on an orange host, any
>>>> additional servers on the orange subnet can use that resolver as
>>>> well.
>>>> You might need to tweak the config a little to allow other machines
>>>> to
>>>> query it though - I'm not sure how tight the default configuration is
>>>> for caching-nameserver.
>>> ----
>>> that is probably a bad security risk though if you are careful with
>>> iptables rules, you can be specific about which hosts are allowed to
>>> access port 53 (udp/tcp).
>>>
>>> Craig
>>>
>>>
>> I don't think the risk would be very high:
>> .) IPCop wouldn't allow access from outside of the orange subnet.
>> .) installing chroot-bind reduces the risk as well.
> ----
> I could be wrong about this but my understanding of a DMZ is that it
> would be mapped to a public IP address and nothing would be filtered at
> all inbound from untrusted Internet and thus the services are exposed to
> everyone, which is why DMZ is not allowed to access the 'green' network.
> DMZ systems are just routed public addresses. You can probably add
> filtering/firewalling on IPCop for DMZ hosts if you choose but I don't
> know that. Bind servers have a history of being exploited and unless you
> are willing to do the research in order to secure a public DNS service,
> just don't do it.
>
> Craig
>
>
Yeah, I agree. Putting a DNS resolver on an IPCop orange subnet isn't
really a public DNS service though.
I don't believe that IPCop's orange subnet is a DMZ according to your
understanding. With IPCop, the orange subnet (sometimes referred to as a
DMZ but I'm not sure that's entirely accurate given your understanding)
is a private subnet all its own. Traffic is NAT'd from red (public) to
orange, so the hosts there aren't exposed as much as if they had public
addresses. All traffic to orange hosts from the public side needs to be
routed specifically with port forwarding.
At least that's how I've been setting it up. I could be wrong as well
(it's been known to happen). ;)
--
-Eric 'shubes'
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss